F. Saglietti and N. Oster (Eds.): SAFECOMP 2007, LNCS 4680, pp. 106–119, 2007. © Springer-Verlag Berlin Heidelberg 2007 Compositional Temporal Fault Tree Analysis Martin Walker, Leonardo Bottaci, and Yiannis Papadopoulos Department of Computer Science, University of Hull, UK m.d.walker@dcs.hull.ac.uk, l.bottaci@hull.ac.uk, y.i.papadopoulos@hull.ac.uk Abstract. HiP-HOPS (Hierarchically-Performed Hazard Origin and Propaga- tion Studies) is a recent technique that partly automates Fault Tree Analysis (FTA) by constructing fault trees from system topologies annotated with component-level failure specifications. HiP-HOPS has hitherto created only classical combinatorial fault trees that fail to capture the often significant temporal ordering of failure events. In this paper, we propose temporal extensions to the fault tree notation that can elevate HiP-HOPS, and potentially other FTA techniques, above the classical combinatorial model of FTA. We develop the formal foundations of a new logic to represent event sequences in fault trees using Priority-AND, Simultaneous-AND, and Priority-OR gates, and present a set of temporal laws to identify logical contradictions and remove redundancies in temporal fault trees. By qualitatively analysing these temporal trees to obtain ordered minimal cut-sets, we show how these extensions to FTA can enhance the safety of dynamic systems. Keywords: temporal fault trees, formal FTA, automated FTA, fault tree synthesis, formal safety analysis. 1 Introduction Fault Tree Analysis (FTA) is a safety analysis technique first used in the 1960s, and since then it has been used in a number of different areas, including the aerospace, automobile, and nuclear industries. However, despite the improvements it has received over the years, it still suffers from a number of problems. One major problem is that although the analysis of fault trees has long been automated, the actual production (or synthesis) of fault trees has remained a manual process. Recently, work has been directed towards addressing this problem by looking at the potential integration of design and safety analysis. In this work, fault trees are automatically produced from system models that contain information about component failures and their effects. Techniques developed to support this concept include HiP-HOPS [1] and Components Fault Trees (CFT) [2]; both support assessment processes in which composability and reuse of "component safety analyses" across applications becomes possible. In HiP-HOPS, a topological model of a system together with annotated failure data for each component is used to produce a set of fault trees and a FMEA (Failure Modes and Effects Analysis) for the system. Instead of forcing analysts to produce entire fault trees, they can focus on